This page provides a high level overview for a number of VPC
concepts and features.

VPC networks

You can think of a VPC network the same way you'd think of a
physical network, except that it is virtualized within GCP. A
VPC network is a global resource which consists of a list of
regional virtual subnetworks (subnets) in data centers, all connected by a
global wide area network. VPC networks are logically isolated
from each other in GCP.

Firewall rules

Each VPC network implements a distributed virtual firewall that
you can configure. Firewall rules allow you to control which packets are allowed
to travel to which destinations. Every VPC network has two
implied firewall rules that block
all incoming connections and allow all outgoing connections.

The default network has additional firewall
rules, including the
default-allow-internal rule, which permit communication among instances in the
network.

Routes

Routes tell VM instances and the VPC network how to send traffic
from an instance to a destination, either inside the network or outside of
GCP. Each VPC network comes with some system
generated routes to route traffic among
its subnets and send traffic from
eligible instances to the Internet.

You can create custom static routes to direct some packets to specific
destinations. For example, you can create a route that sends all outbound
traffic to an instance configured as a NAT
gateway.

Interfaces and IP Addresses

IP addresses

Alias IP ranges

If you have multiple services running on a single VM instance, you can give each
service a different internal IP address using Alias IP Ranges. The
VPC network forwards packets destined for each configured alias
IP to the corresponding VM.

Multiple Network Interfaces

You can add multiple network interfaces to a VM instance, where each interface
resides in a unique VPC network. Multiple network interfaces
enable a network appliance VM to act as a gateway for securing traffic among
different VPC networks or to and from the Internet.

VPC sharing and peering

Shared VPC

You can share a VPC network from one project (called a host
project) to other projects in your GCP organization. You can
grant access to entire Shared VPC networks or select subnets therein using
specific IAM permissions. This allows
you to provide centralized control over a common network while maintaining
organizational flexibility. Shared VPC is especially useful in large
organizations.

VPC Network Peering

Allows you to build SaaS
(Software-as-a-Service)
ecosystems in GCP, making services available privately across
different VPC networks, whether the networks are in the same
project, different projects, or projects in different organizations.

With VPC Network Peering, all communication happens using private, RFC 1918 IP addresses.
Subject to firewall rules, VM instances in each peered network can communicate
with one another without using external IP addresses. Peered networks only share
their subnet routes. Network administration for each peered network is
unchanged: Network and Security admins for one network do not automatically get
those roles for the other network in the peering relationship. If two networks
from different projects are peered, project owners, editors, and compute
instance admins in one project do not automatically receive those roles in the
project that contains the other network.